U.S. Lawmakers Demand Answers After Treasury Department Hack

U.S. lawmakers want more information after the Treasury Department was hit by a “major cybersecurity incident” earlier in December, giving Chinese APT actors access to unclassified documents and Treasury workstations.

“This breach of federal government information is extremely concerning,” according to a new letter this week, sent by Sen. Tim Scott (R-S.C.) and Rep. French Hill (R-Ark) to Secretary of the Treasury Department Janet Yellen. 

“As you know, Treasury maintains some of the most highly sensitive information on U.S. persons throughout government, including tax information, business beneficial ownership, and suspicious activity reports. This information must be vigilantly protected from theft or surveillance by our foreign adversaries, including the Chinese Communist Party (“CCP”), who seek to harm the United States.”

Key Details:

• The Treasury Department was targeted through a third-party software service provider, BeyondTrust, after threat actors accessed a key used to secure a cloud-based service, which they then utilized to override the service’s security and remotely access end user workstations 

• Scott and Hill asked for more specific details of the incident, including which China-sponsored APT actor is responsible, the type and extent of information accessed, and when and how the incident occurred 

• The lawmakers also asked about the specific steps that the Treasury Department plans to take to prevent a similar incident from happening again

Why It Matters: Details are continuing to emerge on the major Treasury Department hack. The incident specifically involved the Office of Foreign Assets Control (OFAC), according to a report by the Washington Post this week. OFAC is the financial intelligence agency within the Treasury Department responsible for enforcing economic and trade sanctions.

While the Treasury Department in its original disclosure of the incident this week said that it became aware of the attack on Dec. 8, it did not provide specifics around the timeline beyond that, including how long threat actors potentially had access to workstations or the specific APT actor responsible for the attack. The Treasury Department has also not responded to a request for comments on these matters.

The Big Picture: Lawmakers also asked about how aware the Treasury Department was of security vulnerabilities related to third-party software services, including BeyondTrust and other services. This question hits on an important matter, as more organizations - including government entities - continue to struggle with the security risks that third-party software and services pose. 

The incident also comes as the U.S. government grapples with other Chinese espionage attacks, including a major breach by Salt Typhoon of nine telecommunication companies, involving communications of U.S. government officials and political figures.

“The fact that a CCP-sponsored APT actor was able to access Treasury’s information systems is unacceptable and raises serious questions about the protocols for safeguarding sensitive federal government information from future cybersecurity incidents,” according to the letter by Scott and Hill, who represent the Senate Committee on Banking, Housing and Urban Affairs and House Committee on Financial Services.

What’s Next: Lawmakers asked the Treasury Department to provide answers to their questions no later than Jan. 10, 2025, which is a shorter timeline than the 30-day follow-up report that the Treasury Department had promised in its disclosure of the incident this week.